SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lurk (Back to overview)

Lurk


There is no description at this point.

References
2014-08-07SecureworksBrett Stone-Gross
@online{stonegross:20140807:malware:5bb1963, author = {Brett Stone-Gross}, title = {{Malware Analysis of the Lurk Downloader}}, date = {2014-08-07}, organization = {Secureworks}, url = {https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader}, language = {English}, urldate = {2019-12-19} } Malware Analysis of the Lurk Downloader
Lurk
Yara Rules
[TLP:WHITE] win_lurk_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_lurk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff7508 ff15???????? 8b35???????? 50 ff7508 }
            // n = 5, score = 1100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_1 = { 8b4508 5b 5f 5e c9 c3 55 }
            // n = 7, score = 900
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_2 = { c7450802000000 8d45f8 50 ff7508 }
            // n = 4, score = 800
            //   c7450802000000       | mov                 dword ptr [ebp + 8], 2
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_3 = { e8???????? 59 83f86f 7553 0fbe4207 }
            // n = 5, score = 800
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83f86f               | cmp                 eax, 0x6f
            //   7553                 | jne                 0x55
            //   0fbe4207             | movsx               eax, byte ptr [edx + 7]

        $sequence_4 = { e8???????? 59 83f872 7577 0fbe4204 50 }
            // n = 6, score = 800
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83f872               | cmp                 eax, 0x72
            //   7577                 | jne                 0x79
            //   0fbe4204             | movsx               eax, byte ptr [edx + 4]
            //   50                   | push                eax

        $sequence_5 = { 817dfcfe030000 7323 8b45fc 8b4de4 8d548108 }
            // n = 5, score = 800
            //   817dfcfe030000       | cmp                 dword ptr [ebp - 4], 0x3fe
            //   7323                 | jae                 0x25
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   8d548108             | lea                 edx, [ecx + eax*4 + 8]

        $sequence_6 = { 7523 8d85fcfeffff 50 ff7508 e8???????? 59 59 }
            // n = 7, score = 800
            //   7523                 | jne                 0x25
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_7 = { c70424???????? ff15???????? 85c0 743e }
            // n = 4, score = 800
            //   c70424????????       |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   743e                 | je                  0x40

        $sequence_8 = { e8???????? 0fb74606 83c414 ff45fc 83c328 3945fc 72bc }
            // n = 7, score = 800
            //   e8????????           |                     
            //   0fb74606             | movzx               eax, word ptr [esi + 6]
            //   83c414               | add                 esp, 0x14
            //   ff45fc               | inc                 dword ptr [ebp - 4]
            //   83c328               | add                 ebx, 0x28
            //   3945fc               | cmp                 dword ptr [ebp - 4], eax
            //   72bc                 | jb                  0xffffffbe

        $sequence_9 = { 85c0 7506 ff15???????? 6a04 }
            // n = 4, score = 800
            //   85c0                 | test                eax, eax
            //   7506                 | jne                 8
            //   ff15????????         |                     
            //   6a04                 | push                4

        $sequence_10 = { 83c00b 50 bf???????? 57 ff35???????? ffd6 }
            // n = 6, score = 800
            //   83c00b               | add                 eax, 0xb
            //   50                   | push                eax
            //   bf????????           |                     
            //   57                   | push                edi
            //   ff35????????         |                     
            //   ffd6                 | call                esi

        $sequence_11 = { 8b4dc0 034814 894dfc 8b45e0 8b4010 }
            // n = 5, score = 800
            //   8b4dc0               | mov                 ecx, dword ptr [ebp - 0x40]
            //   034814               | add                 ecx, dword ptr [eax + 0x14]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b4010               | mov                 eax, dword ptr [eax + 0x10]

        $sequence_12 = { 0fbe4203 50 e8???????? 59 83f870 0f8581000000 0fbe4204 }
            // n = 7, score = 800
            //   0fbe4203             | movsx               eax, byte ptr [edx + 3]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83f870               | cmp                 eax, 0x70
            //   0f8581000000         | jne                 0x87
            //   0fbe4204             | movsx               eax, byte ptr [edx + 4]

        $sequence_13 = { 83c410 85db 7412 8b451c }
            // n = 4, score = 800
            //   83c410               | add                 esp, 0x10
            //   85db                 | test                ebx, ebx
            //   7412                 | je                  0x14
            //   8b451c               | mov                 eax, dword ptr [ebp + 0x1c]

        $sequence_14 = { 69c055550500 8945f0 69c077770700 8945f4 53 8b450c ff30 }
            // n = 7, score = 800
            //   69c055550500         | imul                eax, eax, 0x55555
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   69c077770700         | imul                eax, eax, 0x77777
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   53                   | push                ebx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   ff30                 | push                dword ptr [eax]

        $sequence_15 = { 66890a e9???????? 0fb745fc 83f804 0f85b6000000 }
            // n = 5, score = 800
            //   66890a               | mov                 word ptr [edx], cx
            //   e9????????           |                     
            //   0fb745fc             | movzx               eax, word ptr [ebp - 4]
            //   83f804               | cmp                 eax, 4
            //   0f85b6000000         | jne                 0xbc

    condition:
        7 of them and filesize < 5316608
}
Download all Yara Rules